The Shared Security Podcast is sponsored by Silent Pocket. With their patented Faraday cage product line of phone cases, wallets and bags you can block all wireless signals which will make your devices instantly untrackable, unhackable and undetectable. Visit silent-pocket.com for more details.

Hi everyone, I’m Tom Eston, Co-host of the Shared Security podcast. Welcome to the Shared Security Weekly Blaze where we update you on the top 3 security and privacy topics from the week. These weekly podcasts are published every Monday and are 15 minutes or less quickly giving you “news that you can use”.

Researchers from the Israel Institute of Technology announced a critical vulnerability in Bluetooth technology which could allow an attacker, within physical proximity of the Bluetooth device, to intercept, monitor, or change the data being used by the Bluetooth device. Several vendors of Bluetooth implementations including Apple, Broadcom, Intel and Qualcomm have firmware and some software drivers that are vulnerable to this attack. The vulnerability is caused because the current Bluetooth specification recommends, but does not require, that a device supporting two specific features (called Secure Simple Pairing and LE Secure Connections) validate the public key received over the air when pairing a Bluetooth device. It’s important to note that there is no evidence that this vulnerability is being exploited in the wild and that vendors are working on patches if their implementations of Bluetooth are affected.

So what does this Bluetooth vulnerability mean for you? First, always stay up-to-date on patches for any Bluetooth device that you may be using. For this vulnerability in particular the good news is that Apple, Intel and Broadcom have already released patches. What may be more problematic is more obscure “Internet of Things” devices, which happen to use Bluetooth, that may never receive updates because they were either manufactured cheaply or were not designed with security updates in mind. This, of course, is a much larger problem that does not have an immediate solution. However, the risk here seems very low for most of us because an attacker needs to be in very close proximity of the victim.

Last week Twitter announced that it removed more than 143,000 malicious apps from their service. Twitter said that the applications were removed between April and June of this year but did not specify which apps were deleted but only saying that they removed these apps because developers have violated Twitter’s policies. Twitter stated in a blog post that “We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter”. In addition, Twitter announced a new app registration process for developers which have applicants go through a more rigorous approval process including having developers include all details on how their apps will be used and limiting the number of default apps that developers can create to 10.

This news from Twitter comes at a time where other large social networking companies like Facebook are cracking down on malicious and spammy apps. In Facebook’s case, the infamous Cambridge Analytica controversy made Facebook audit all apps that had requested user data in the past. Facebook has removed around 200 or so apps since they began this audit earlier this year. Facebook has also significantly changed its developer policies to align with better privacy data practices since the Cambridge Analytica controversy as well.

Google’s Gmail has been rolling out its new redesign over the last several months which includes a new feature called “confidential” mode. Confidential mode allows you to restrict how sent emails can be viewed and forwarded. Recipients of confidential mail will not be able to forward or print email designated as confidential and you even have the ability to set an expiration date so that the email can be deleted in the recipients mailbox. You can also require a code via a text message which can be added for additional security of the email.

While all this sounds well and good, the Electronic Frontier Foundation notes that “confidential” mode does not mean that messages are end-to-end encrypted. Google can still see the contents of your emails because, as we all know, Google makes money off using your data for targeted advertising. The EFF also noted concerns about how expiring messages could be captured by a screenshot or picture of the screen and that any expiring message sent is actually kept in your sent items folder, which is really not an expiring message at all. Our advice is that you should use a more vetted and end-to-end encrypted messaging service like Signal or ProtonMail and only use Gmail’s confidential mode for non-confidential messaging.

That’s a wrap for this week’s show. Please be sure to follow the Shared Security Podcast on all the regular social media channels like Facebook, Twitter and Instagram for frequent posts, commentary and updates. If you have feedback or topic ideas for the show you can email us at feedback[aT]sharedsecurity.net. First time listener to the podcast? Please subscribe on iTunes, Google Play, Stitcher, TuneIn, Spotify or iHeartRadio. Thanks for listening and see you next week for another episode of the Shared Security Weekly Blaze.

The ability to capture screenshots is just the tip of the iceberg of Gmail’s confidential mode issues. Cory (co-author of the EFF article) wrote a follow up that Google DRM for Email can be disabled by ticking a few boxes in Firefox (thanks to the built-in CSS editor) https://boingboing.net/2018/07/22/adversarial-interop.html